terraform-provider-google
terraform-provider-google copied to clipboard
hashicorp
Resource `google_compute_target_https_proxy` fails to provision with `certificate_manager_certificates` attribute
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to a user, that user is claiming responsibility for the issue.
- Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.
Terraform Version
1.7.2.
Affected Resource(s)
google_compute_target_https_proxy
Terraform Configuration
resource "google_certificate_manager_dns_authorization" "default" {
name = "example-com"
domain = "example.com"
}
resource "google_certificate_manager_certificate" "default" {
name = "example-com"
scope = "EDGE_CACHE"
managed {
domains = [
google_certificate_manager_dns_authorization.default.domain,
]
dns_authorizations = [
google_certificate_manager_dns_authorization.default.id,
]
}
}
resource "google_compute_target_https_proxy" "default" {
name = "https-proxy"
url_map = google_compute_url_map.default.id # Not included in example
certificate_manager_certificates = [ google_certificate_manager_certificate.default.id ]
}
Debug Output
No response
Expected Behavior
The target proxy is created, with the example.com certificate.
Actual Behavior
The creation of google_compute_target_https_proxy fails as the use of managed cloud certificates isn't supported.
google_compute_target_https_proxy.default: Creating...
╷
│ Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/{project}/locations/global/certificates/{resource}. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│ with google_compute_target_https_proxy.default,
│ on loadbalancer.tf line 55, in resource "google_compute_target_https_proxy" "default":
│ 55: resource "google_compute_target_https_proxy" "default" {
Steps to reproduce
terraform apply
Important Factoids
Using google provider version 5.14.0
References
The above terraform configuration is based on the documented example in the provider documentation: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate
b/324044382
@adamstrawson I noticed below error which is from the api. Where did you see it is supported? Can you share the full debug log that contains the requests and responses to the api?
Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
@adamstrawson I noticed below error which is from the api. Where did you see it is supported? Can you share the full debug log that contains the requests and responses to the api?
Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
Hi @edwardmedia, Support for Certificate manager is shown within the Google Provider documentation, and has listed examples of its use - See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate
From a load balancer perspective, it's also shown here: https://cloud.google.com/load-balancing/docs/ssl-certificates#certificate-summary
Note under Global external Application Load Balancer Certificate Manager is supported for both self-managed and Google-managed`
I'll need to do a small POC to be able to supply debug logs, as these resources are part of a larger module, but I'll get that put together shortly.
@adamstrawson thanks for the info, and preparing the logs. Waiting for that.
Okay, from a bit further digging, this does appear to be an API issue, rather than terraform.
I can recreate the same issue via gcloud, following this documentation https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth.
Do you know the best way to raise API issues, or should I go through our TAM?
it is mentioned in the doc that below format is accepted.
Accepted format is
- //certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName}
- or just the self_link projects/{project}/locations/{location}/certificates/{resourceName}
From the error below, it seems the format does match what it asks. Forward the issue to the service team for taking a look at its behind
Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/{project}/locations/global/certificates/{resource}. Cloud certificate reference is not supported for TargetHttpsProxy creation
Yeah, I tried both formats as per the docs, both have the same error.
google_certificate_manager_certificate.default.id is the same as projects/{project}/locations/{location}/certificates/{resourceName}
resource "google_compute_target_https_proxy" "default" {
name = "https-proxy"
url_map = google_compute_url_map.default.id # Not included in example
certificate_manager_certificates = [ google_certificate_manager_certificate.default.id ]
}
and I tried
resource "google_compute_target_https_proxy" "default" {
name = "https-proxy"
url_map = google_compute_url_map.default.id # Not included in example
certificate_manager_certificates = [ "//certificatemanager.googleapis.com/${google_certificate_manager_certificate.default.id}" ]
}
My theory above that it's an API issue, rather than the Terraform provider is because gcloud has the same error, despite this being a documented step in guide for this specific use case (Ref: https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#att-cert-target-proxy)
gcloud compute target-https-proxies create foobar \
--url-map=<snip> \
--global \
--certificate-manager-certificates=<snip>
ERROR: (gcloud.compute.target-https-proxies.create) Could not fetch resource:
- Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/<snip>/locations/global/certificates/<snip>'. Cloud certificate reference is not supported for TargetHttpsProxy creation.
After some further digging, and chatting with GCP support, the recommended(?) way is to use Certificate Maps instead
resource "google_compute_target_https_proxy" "default" {
name = "https-proxy"
url_map = google_compute_url_map.default.id
certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.default.id}"
}
It would be great to confirmation if that's the case, and whether the use of the attribute certificate_manager_certificates should be removed in favour of certificate_map? Or if there is a downstream API error and it should be possible to use certificate_manager_certificates
In the mean time, I'm unblocked as I can use certificate_map instead for now.
This issue also affects the google_compute_region_target_https_proxy, which does not have a similar workaround unfortunately as it does not support the use of a certificate_map. Any resolution is greatly appreciated.
Without full configuration it is hard to do a proper analysis. At this point certificate_manager_certificates are not supported by Global External Application Load Balancer. certificate_map only works with Global External Application Load Balancer so I can guess that your configuration is not supported yet. google_compute_region_target_https_proxy should not have the same problem as all regional products support certificate_manager_certificates.
When I posted my message I had assumed the information above would be sufficient. Here's all the information I would post if I would have opened this as a new report, in case it helps any. This is quite similar to some things above, but for the google_compute_region_target_https_proxy and associated regional resources, instead of global ones.
The documentation mentions certificate_manager_certificates can be configured, but doing so according to the documentation leads to failures from the API.
The documentation mentions two formats being accepted. I attempted both.
Terraform output full URI
Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created
+ resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
+ certificate_manager_certificates = [
+ "//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1",
]
+ creation_timestamp = (known after apply)
+ id = (known after apply)
+ name = "cloud-run-internal-https-proxy-ccm-west1-new"
+ project = "<my-project>"
+ proxy_id = (known after apply)
+ region = "europe-west1"
+ self_link = (known after apply)
+ url_map = "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating...
╷
│ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│ with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1,
│ on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1":
│ 35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
Terraform output self_link
Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created
+ resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
+ certificate_manager_certificates = [
+ "projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1",
]
+ creation_timestamp = (known after apply)
+ id = (known after apply)
+ name = "cloud-run-internal-https-proxy-ccm-west1-new"
+ project = "<my-project>"
+ proxy_id = (known after apply)
+ region = "europe-west1"
+ self_link = (known after apply)
+ url_map = "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating...
╷
│ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│ with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1,
│ on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1":
│ 35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
Terraform configuration
resource "google_compute_region_url_map" "cloud_run_internal_url_map_west1" {
name = "cloud-run-internal-west1"
region = var.region_west1
default_url_redirect {
https_redirect = true
host_redirect = "www.example.com"
path_redirect = "/"
strip_query = true
redirect_response_code = "FOUND"
}
}
resource "google_certificate_manager_dns_authorization" "internal_load_balancer_domain_west1" {
name = "internal-load-balancer-dns-auth-${var.environment}-west1"
location = var.region_west1
description = "The internal load-balancer dns auth (${var.region_west1})"
domain = "<my-domain>"
depends_on = [google_project_service.certificatemanager]
}
resource "google_certificate_manager_certificate" "wildcard_internal_load_balancer_domain_west1" {
name = "wildcard-internal-load-balancer-${var.environment}-west1"
location = var.region_west1
description = "The wildcard cert for *.<my-domain> (${var.region_west1})"
managed {
domains = [
"<my-domain>",
"*.<my-domain>"
]
dns_authorizations = [
google_certificate_manager_dns_authorization.internal_load_balancer_domain_west1.id
]
}
}
resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
name = "cloud-run-internal-https-proxy-ccm-west1-new"
region = var.region_west1
url_map = google_compute_region_url_map.cloud_run_internal_url_map_west1.id
certificate_manager_certificates = [
"//certificatemanager.googleapis.com/${google_certificate_manager_certificate.wildcard_internal_load_balancer_domain_west1.id}",
# Or use the self_link format (which matches the id attribute)
#google_certificate_manager_certificate.wildcard_internal_load_balancer_domain_west1.id,
]
}
Relevant debug output
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created
+ resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
+ certificate_manager_certificates = [
+ "//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1",
]
+ creation_timestamp = (known after apply)
+ id = (known after apply)
+ name = "cloud-run-internal-https-proxy-ccm-west1-new"
+ project = "<my-project>"
+ proxy_id = (known after apply)
+ region = "europe-west1"
+ self_link = (known after apply)
+ url_map = "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
2024-05-15T11:40:55.999+0200 [DEBUG] command: asking for input: "\nDo you want to perform these actions?"
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
[CUT irrelevant ProviderTransformer/ReferenceTransformer/pruneUnusedNodes log lines]
google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating...
2024-05-15T11:41:00.428+0200 [INFO] Starting apply for google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1
2024-05-15T11:41:00.431+0200 [DEBUG] google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: applying the planned Create change
2024-05-15T11:41:00.432+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] converting the field CertificateManagerCertificates to sslCertificates before sending the request
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Creating new RegionTargetHttpsProxy: map[string]interface {}{"name":"cloud-run-internal-https-proxy-ccm-west1-new", "region":"projects/<my-project>/global/regions/europe-west1", "sslCertificates":[]interface {}{"//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1"}, "urlMap":"projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"}
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Waiting for state to become: [success]
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Retry Transport: starting RoundTrip retry loop
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Retry Transport: request attempt 0
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Google API Request Details:
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ---[ REQUEST ]---------------------------------------
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: POST /compute/v1/projects/<my-project>/regions/europe-west1/targetHttpsProxies?alt=json HTTP/1.1
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Host: compute.googleapis.com
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: User-Agent: Terraform/1.7.5 (+https://www.terraform.io) Terraform-Plugin-SDK/2.31.0 terraform-provider-google/5.21.0
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Length: 374
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Goog-User-Project: <my-project>
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Accept-Encoding: gzip
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "name": "cloud-run-internal-https-proxy-ccm-west1-new",
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "region": "projects/<my-project>/global/regions/europe-west1",
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "sslCertificates": [
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1"
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ],
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "urlMap": "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: -----------------------------------------------------
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Google API Response Details:
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ---[ RESPONSE ]--------------------------------------
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: HTTP/2.0 400 Bad Request
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Cache-Control: private
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json; charset=UTF-8
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Date: Wed, 15 May 2024 09:41:01 GMT
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Server: ESF
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Origin
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: X-Origin
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Referer
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Content-Type-Options: nosniff
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Frame-Options: SAMEORIGIN
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Xss-Protection: 0
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "error": {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "code": 400,
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "errors": [
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "domain": "global",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "reason": "invalid"
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ]
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: -----------------------------------------------------
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 400 with body: HTTP/2.0 400 Bad Request
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Cache-Control: private
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json; charset=UTF-8
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Date: Wed, 15 May 2024 09:41:01 GMT
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Server: ESF
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Origin
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: X-Origin
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Referer
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Content-Type-Options: nosniff
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Frame-Options: SAMEORIGIN
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Xss-Protection: 0
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "error": {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "code": 400,
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "errors": [
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "domain": "global",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "reason": "invalid"
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ]
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Retry Transport: Returning after 1 attempts
2024-05-15T11:41:01.085+0200 [ERROR] provider.terraform-provider-google_v5.21.0_x5: Response contains error diagnostic: tf_proto_version=5.4 tf_req_id=dcd22c46-a487-a1ec-e8a1-8f8b7f511edc diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid" tf_provider_addr=registry.terraform.io/hashicorp/google tf_resource_type=google_compute_region_target_https_proxy tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:62 @module=sdk.proto timestamp="2024-05-15T11:41:01.085+0200"
2024-05-15T11:41:01.118+0200 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2024-05-15T11:41:01.118+0200 [ERROR] vertex "google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1" error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
╷
│ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│ with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1,
│ on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1":
│ 35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
│
╵
2024-05-15T11:41:01.134+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] [transport] [server-transport 0xc0012761a0] Closing: Server.Stop called
2024-05-15T11:41:01.134+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] [transport] [server-transport 0xc0012761a0] loopyWriter exiting with error: transport closed by client
2024-05-15T11:41:01.134+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-05-15T11:41:01.136+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/google/5.21.0/linux_amd64/terraform-provider-google_v5.21.0_x5 pid=108696
2024-05-15T11:41:01.136+0200 [DEBUG] provider: plugin exited
@Daniel-I-Am I agree that documentation is not clear about the support.
At the moment the certificate_manager_certificates are not supported for:
- Global UrlMaps with External, External_Managed or Internal_Self_Managed BackendServices
- Global UrlMaps with BackendBuckets (as those are External or External_Managed only)
- Any UrlMaps which have no BackendServices.
The latest is a bug/feature gap which should be fixed that year by allowing LoadBalancingScheme to be set in UrlMap (optional field). As for now the workaround is to add a dummy BackendService in a dummy PatchMatcher in the UrlMap. BackendService does not need to have any Backends, just need to show the scheme.
Oh wow. Now I understand the things I was seeing. I have been able to roll it out once for one load balancer, but not any other. The difference being that the one where it succeeded did have backend services configured and others did not, as they were set up quickly for testing with just a default redirect (I did not realize that this could even cause this oddity). I had opened a ticket with Google Cloud support, but they were unable to tell me what was happening.
Thanks for the explanation, clears up a lot for me :)
This does unblock me for the time being, but still leaves the same questions open for this issue.
@adamstrawson Thanks for bringing up this issue.
@Daniel-I-Am Thanks for contributing with your terraform output and configuration
@pawelJas Thanks for pointing out the unsupported configurations as of now. As I was stumbling across one of these unsupported combinations yesterday and then decided to go with a certificate map (as pointed out by @adamstrawson), I found that the combination is working Terraform and GCP wise, but unfortunately the GCP UI is not showing the certificate properly afterwards when viewing the details of the global Load Balancer, set up via Terraform. Are there any plans on the roadmap to either allow the certificate_manager_certificates for global Load Balancers or to fix the UI not showing the certificate properly issue?
Thanks to all of you and best regards, Tim.
Hi @bahag-klickst,
I have reached out to the UI team and I have confirmed that certificate_map is not supported yet. It is possible to view the certificate_map in the TargetHttpsProxy or TargetSslProxy detailed view but not at the Global Load Balancer view.
They are starting to work on that and say that it should be launched by the end of the year.
certificate_manager_certificates for Global External Load Balancer work should also start soon, but might take more time. Probably will be ready some time in 2025.
Hey @pawelJas, do we have the different use cases between certificate_manager_certificates and certificate_map documented anywhere in the API/g3 doc? We(Config Connector) also has Cx reporting the same issue. From the log, the error originates from the Google API. Sharing the official API documentation with Cx would be helpful, and we can update our documentation accordingly.
Hey @gemmahou. I could not find any dedicated page describing which should be used. What I found is that Public TargetHttpsProxy Resource doc doesn't specify the supported products in the field descriptions. I can fix that. Hamza has corrected Terraform docs already.
I have submitted an update for Public TargetHttpsProxy Resource doc, it might take a month before it is out.
@pawelJas does this relate to the scope? I tried creating a certificate with the scope DEFAULT and it works, but not GLOBAL.
Hey @re-thc, that is a good question. I think the docs should be updated to clarify the Certificate type compatibility.
Regional certificates support only DEFAULT and those work with regional L7 Load Balancers. The only requirement is to be in the same region.
For Global Load Balancers the Certificates Type matters.
- DEFAULT -> Global External Load Balancers (not supported yet)
- ALL_REGIONS -> Global Internal Load Balancer
- EDGE_CACHE -> Media CDN
FWIW, based on the above, I'd think this can't work even with a certificate map? Maybe someone already pointed this out, but I think global external LBs do support this if you use the certificate map as a buffer, so like (resource attributes omitted for brevity / simplicity):
resource "google_certificate_manager_dns_authorization" "foo" {}
resource "google_certificate_manager_certificate" "foo" {}
resource "google_certificate_manager_certificate_map" "foo" {}
resource "google_certificate_manager_certificate_map_entry" "foo" {}
resource "google_compute_target_https_proxy" "foo_target_proxy" {
[...]
# The first (commented out) one _doesn't_ work:
# ssl_certificates = [google_certificate_manager_certificate.foo.id]
certificate_map = google_certificate_manager_certificate_map.foo.id
}
It's interesting to me that the actual resource path is projects/[project]/locations/global/certificates/foo and the .id exported there is correct, but the error references the same path but with sslCertificates instead.
Also, google_certificate_manager_certificate_map doesn't seem to directly export as an attribute or output the ID format (with //certificatemanager.googleapis.com/... prefixing the ID) that the proxy resource wants to consume, and the google_compute_target_https_proxy doesn't seem to accept the bare ID.
If regular compute managed certificates also supported DNS auth, or some other form of auth, that would also be nice. But, given that this is a more flexible way of provisioning certificates, it would be nice if the process of using them could be a little more streamlined.
Indeed, this does work with a Global External LB and a DEFAULT scope certificate with a map in between. This is the syntax:
resource "google_compute_target_https_proxy" "public" {
name = "public"
url_map = google_compute_url_map.public.self_link
certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.public.id}"
}
This is also documented in the terraform module:
For EXTERNAL and EXTERNAL_MANAGED, use certificate_map instead.
Thank you, @akvadrako. Your hint about going via the certificate map in between has worked!
